If you receive the "Invalid Session" message when your users try to reset their password, there are two known possible issues.
First, your application pool may be recycling while the users are resetting their password. To fix this, open up IIS Manager on your server (start->run->inetmgr), go to the "Application Pools" section, right click on the Password Reset Serve app pool, and click "Advanced Settings". Next, make sure "Virtual Memory Limit" is set to 0.
Another possible cause is that cookies are being blocked. This is set through group policy.
To fix this, you can either log in to your domain controller and edit the group policy object tied to the client machines.
Once you have the group policy open, expand User
Configuration/Policies/Windows Settings/Internet Explorer Maintenance.
Then, click on "Security". Finally, click on "Security Zones and Content
Ratings" and check the security settings. The "Do not customize
security zones and privacy" option should be selected.
Article ID: 206, Created On: 12/1/2011, Modified: 12/1/2011